System for detecting and tracking an unauthorized person

ABSTRACT

A system includes a plurality of sensors distributed about a space. Each sensor generates sensor data associated with properties of one or more people in the space. An automated response subsystem receives the sensor data. An unauthorized activity performed by a first person in the space is detected based on at least a portion of the received sensor data. In response to detecting the unauthorized activity, tracking instructions are transmitted that identify the first person associated with the unauthorized activity. A tracking device receives the tracking instructions. A device associated with the first person is detected. Over a period of time, the tracking device sends queries to the device and receives corresponding responses from the device. The tracking device determines positions of the device within the space over the period of time.

TECHNICAL FIELD

The present disclosure relates generally to synthetic media. Moreparticularly, the present disclosure is related to a system fordetecting and tracking an unauthorized person.

BACKGROUND

A conventional security system detects a security-compromising eventwhen an individual activates an alarm or in response to the open-closedstate of an access point (e.g., via the detection of a window beingopened) during times when people are not authorized to access a space.For example, during a certain portion of the day, such as during thenight, no people may be authorized to move about in certain spaces suchas a store or other area that is publicly accessible during the day. Asecurity system may detect the opening of an access point during arestricted time and sound an alarm. Certain devices, such as automatedteller machines (ATMs) have security protocols to authenticate theidentity of a person interacting with information and/or servicesavailable through the device. There exists a need for improvedtechnology for securing such spaces and device.

SUMMARY

Previous security technology suffers from certain disadvantages. Forexample, previous technology generally only provides a generic alarm andfails to provide any information useful for providing a tailoredresponse to a particular event. For example, if a person activates analarm, little else is known other than that security personnel may beneeded. As such, the responses available to the delayed and genericalerts of previous technology are generally very limited andinefficient. This can increase the risk of harm to the person orsecurity of information effected by the event. This disclosurerecognizes that it is preferable for an alert or other further responseoperations to be performed automatically without user intervention. Forexample, this may prevent a bad actor from being alerted to the responseand improve the safety of people near the event. However, the automaticdetection of and response to particular events is particularlychallenging in complex spaces where multiple people can freely moveabout and interact with one another, such as in a store or other publicgathering space. Previous technology lacks the ability to automaticallydetect a potentially security-compromising event in a space containingmultiple people moving about, interacting with each other, andinteracting with items and/or devices located within the space. Previoustechnology also lacks the ability to provide a tailored response basedon the characteristics of a security-compromising event.

Certain embodiments of this disclosure provide unique solutions totechnical problems of previous technology, including those describedabove, by providing systems which automatically detect unauthorizedevents or activity and provide an appropriate automatic response. Forexample, the disclosed system provides several technical advantageswhich may include: 1) automatically detecting an unauthorized event oractivity in a space in which multiple people can move about andinteract, such that security of individuals is improved in the space; 2)providing and/or initiating an automatic response to the detected eventthat is tailored to be appropriate for the type of event or activity inorder to effectively improve security; 3) automatically identifyingand/or tracking a bad actor indicated to be associated with a detectedevent or activity; and 4) dynamically updating device operation andsecurity protocols in response to a detected event or activity toimprove the security of people operating the device and the informationand/or services available through the device. As such, this disclosuremay improve the functioning of computer systems used to detectsecurity-compromising or otherwise unauthorized activities and/orevents, computer systems use to identify and/or tack potential badactors, and/or computer systems used to provide secure informationand/or services, such as ATM machines.

In some embodiments, the systems, methods, and devices described in thisdisclosure may particularly be integrated into a practical applicationof an automated response subsystem that uses sensor data collected in aspace to characterize features of people in the space, such as featuresof their movements, biometric characteristics, and the like, to detectsecurity-compromising or unauthorized event that may be occurring. Basedon scores determined from the feature values, an appropriate response isautomatically initiated without the need for a person to take any actionthat would alert a bad actor that an alarm has been raised. Theautomated response subsystem provides alerts that are tailored to thedetected event. The automated response subsystem improves securitytechnology used for event detection and response by matching a detectedevent to appropriate response activities, such as providing an alert andinstructions for tracking bad actors and/or adjusting local devices tooperate according to more secure protocols. As such, the automatedresponse subsystem also improves security of people in the space throughthese technical improvements to security technology.

In some embodiments, the systems, methods, and devices described in thisdisclosure may particularly be integrated into a practical applicationof a tracking device. The tracking device may identify a potential badactor in a space (e.g., based on information from the automated responsesubsystem or from sensor data from sensors distributed about the space).The tracking device detects the bad actor's mobile device, determinesany available identifying information from the device, and communicateswith the mobile device to track the position of the bad actor. Thetracking device provides an improvement to previous security technologyby providing additional and/or more reliable identifying information forbad actor detected in a space.

In some embodiments, the systems, methods, and devices described in thisdisclosure may particularly be integrated into a practical applicationof a service-providing device (e.g., an ATM) with adaptive securityprotocols (e.g., the adaptive-security device 108 of FIGS. 1 and 5 ).This adaptive-security device automatically adjusts its operating and/orsecurity protocols in response to the detection of a potentiallysecurity-compromising event. For example, the device may limit orprevent access to certain information and/or services when a potentiallysecurity-compromising event is detected (e.g., by the automated responsesubsystem or by the device itself using sensor data from sensorsdistributed about the space).

Certain embodiments of this disclosure may include some, all, or none ofthese advantages. These advantages and other features will be moreclearly understood from the following detailed description taken inconjunction with the accompanying drawings and claims.

In an embodiment, a system includes a plurality of sensors distributedabout a space. Each sensor generates sensor data associated withproperties of one or more people in the space. A gateway device receivesthe sensor data from each of the plurality of sensors and provides thesensor data to an automated response subsystem over a network. Theautomated response subsystem receives the sensor data. A first featurevalue is determined based on the received sensor data. The first featurevalue corresponds to an amount of change in a first property of a personin the space. An event score is determined based on the first featurevalue. The event score corresponds to a probability that an actionableevent occurred within the space. The event score is compared topredefined response criteria. Based on the comparison of the event scoreto the predefined response criteria, an actionable event is detected,and an automated response to initiate for the detected actionable eventis identified. One or both of an alert and instructions are provided inorder to initiate the automated response.

In another embodiment, a system includes a plurality of sensorsdistributed about a space. Each sensor generates sensor data associatedwith properties of one or more people in the space. An automatedresponse subsystem receives the sensor data. An unauthorized activityperformed by a first person in the space is detected based on at least aportion of the received sensor data. In response to detecting theunauthorized activity, tracking instructions are transmitted thatidentify the first person associated with the unauthorized activity. Atracking device receives the tracking instructions. A device associatedwith the first person is detected. Over a period of time, the trackingdevice sends queries to the device and receives corresponding responsesfrom the device. The tracking device determines, based on the sentqueries and the received responses from the device, positions of thedevice within the space over the period of time. The tracking devicegenerates a report that includes the determined positions of the deviceand provide the report to a security entity.

In yet another embodiment, a system includes a plurality of sensorsdistributed about a space. Each sensor generates sensor data associatedwith properties of one or more people in the space. An automatedresponse subsystem receives the sensor data. An unauthorized event isdetected associated with an adaptive-security device operating withinthe space. In response to detecting the unauthorized event, operatinginstructions are transmitted that identify security protocols toincrease security of devices during the unauthorized event. Anadaptive-security device operates within the space. Prior to receivingthe operating instructions, the adaptive-security device receives usercredential and determines, based on the received credentials, a user isauthenticated based on the received user authentication. Afterdetermining the user is authenticated, secure information is presentedon a display of the adaptive-security device. The adaptive-securitydevice receives the operating instructions. After receiving theoperating instructions, the adaptive-security device determines whethera user is currently accessing secure information in theadaptive-security device. If the user is currently accessing the secureinformation, display of at least a portion of the secure information isprevented. If the user is not currently accessing the secureinformation, authentication requirements are increased for accessing thesecure information.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of this disclosure, reference is nowmade to the following brief description, taken in connection with theaccompanying drawings and detailed description, wherein like referencenumerals represent like parts.

FIG. 1 is a schematic diagram of an example system configured forautomatic event detection and response;

FIG. 2 is a flowchart illustrating an example method of operating theautomated response subsystem of the system of FIG. 1 ;

FIG. 3 is a flow diagram illustrating operation of the automatedtracking device of the system of FIG. 1 ;

FIG. 4 is a flowchart illustrating an example method of operating theautomated tracking device of the system of FIG. 1 ;

FIG. 5 is a flow diagram illustrating operation of the adaptive-securitydevice of the system of FIG. 1 ;

FIG. 6 is a flowchart illustrating an example method of operating theadaptive-security device of the system of FIG. 1 ;

FIG. 7 is a schematic diagram of an example sensor of the system of FIG.1 ; and

FIG. 8 is a diagram of an example device configured to implement certaincomponents of the system of FIG. 1 .

DETAILED DESCRIPTION

As described above, prior to this disclosure, there was a lack of toolsfor automatically detecting and appropriately responding to security-and/or health-compromising or otherwise unauthorized events oractivities in a space. This disclosure provides a number of technicalsolutions to the technical problems of previous technology. For example,this disclosure provides an automated response subsystem that usessensor data obtained from sensors distributed in a space to detectpotentially security compromising events without relying on an alarmfrom a person or an opened access point (which is not a relevantindicator of compromised security for many common circumstances, such aswhen people are allowed to move about in a space). The automatedresponse subsystem then determines an appropriate response for thedetected event and initiates the response. As such, the automatedresponse subsystem not only improves the detection ofsecurity-compromising events compared to previous technology but alsoprovides tailored responses that are automatically in response to thedetected event, thereby improving security technology. This disclosurealso provides an automated tracking device which detects a bad actorassociated with a detected security-compromising event and tracks thelocation of the bad actor using information from the bad actor's mobiledevice. This disclosure also provides an adaptive-security device thatadjusts its security protocols based on a detected security-compromisingevent such that secure services and/or information are protected duringthe event. The automated response subsystem, tracking device, andadaptive-security device may be operated alone or in any combination toachieve technical improvements over previous technology.

System for Automatic Event Detection and Response

FIG. 1 is a schematic diagram of an example system 100 for improving thesecurity within a space 102. The system 100 includes a physical space102, a plurality of sensors 104, a communications gateway device 106, anadaptive-security device 108, a computing device 120, a tracking device122, an automated response subsystem 124, a security entity 146, and anetwork 148.

The physical space 102 may be any physical space, such as a store, datastorage room, or other area accessible to a number of people 110, 114,118. In the example of FIG. 1 , the space 102 is an enclosed area inwhich people 110, 114, 120 can move about and interact with each otherand with adaptive-security device 108. The sensors 104 are distributedabout the space (e.g., located on the walls, ceiling, and/or floor ofthe space 102). In the example of FIG. 1 , the space 102 includes thecommunications gateway 106, the adaptive-security device 108, thecomputing device 120, and the tracking device 122. However, in otherembodiments, one or more of these components may be absent or additionalcomponents may be present.

The plurality of sensors 104 include any sensors operable to detectcharacteristics of people 110, 114, 118 moving about the space 102. Thesensors 104 may include sound sensors (e.g., microphones tuned to anyappropriate frequency range), infrared sensors, cameras, depth sensors,ultrasonic sensors, motion detectors, and the like. The sensors 104 maybe any sensors operable to detect a movement, acceleration, posture,height, and/or one or more biometric features of the people 110, 114,118 in the space 102. The detected biometric features may include avital signs, biometric characteristics, or the like. Sensors 104 aredistributed about the space 102 in any appropriate configuration. Forexample, the sensors may be attached to or embedded in the ceiling,walls, and/or floor of the space 102. Sensors may be coupled tofurniture (e.g., shelves, tables, etc.) in the space 102 and/orconnected to devices 108, 120, 122. An example sensor 104 is describedin greater detail below with respect to FIG. 7 .

The sensors 104 are generally operable to generate sensor data 126 thatindicates the properties of the space 102 (e.g., an amount of movementin the space 102, a number of people present in the space 102, etc.)and/or the people 110, 114, 118 in the space 102 (e.g., movement speed,acceleration, posture, height, and/or biometric features of the people110, 114, 118). The sensors 104 may communicate sensor data 126 to thecommunications gateway 106 and/or directly over the network 148. In someembodiments, one or more sensors 104 may be embedded or communicativelycoupled to the adaptive-security device 108 and/or the tracking device122. For instance, one or more sensors 104 may be located on, in, oraround the adaptive-security device 108 to detect potentialsecurity-compromising events 136 associated with the use of theadaptive-security device 108 (e.g., a person 114 compromising securityof information and/or services provided by the adaptive-security device108 and/or a person 110 operating the adaptive-security device 108).

The communications gateway device 106 is generally a device operable toallow communication of sensor data 126 collected from the sensors 104over network 148 to the automated response subsystem 124. For example,the communications gateway 106 may connect the sensors 104 to a localarea network operated at the space 102 to connect the various devices108, 120, 122 and/or the sensors 104 to network 148. The communicationsgateway 106 may communicate with the other components in the space 102via wired or wireless connection. The communications gateway 106 mayprovide sensor data 126 to the tracking device 122 and/or theadaptive-security device 108. The communications gateway 106 may beimplemented using the processor, memory, and interface of the device 800described with respect to FIG. 8 below.

The adaptive-security device 108 is any computing device or collectionof computing devices operable to display information (e.g., protected orsecure information) and/or provide services. For example, in certainembodiments, the adaptive-security device 108 is an ATM machine. Inother embodiments, the adaptive-security device 108 is a computingdevice storing secure information (e.g., such as in a data room or thelike). The adaptive-security device 108 may include one or more of thesensors 104 described above. The adaptive-security device 108 may becommunicatively coupled to the sensors 104 to receive sensor data 126.In general, the adaptive-security device 108 is configured to adjust itsauthentication protocols and/or the amount or type of information and/orservices accessible through the device in response to a detected event136. Further details and examples of the operation of theadaptive-security device 108 and its hardware components are providedbelow with respect to FIGS. 5 and 6 .

In some embodiments, the automated response subsystem 124 detects anevent 136 (e.g., related to compromised security in the space 102) andprovides device operation instructions 144 to adjust operation of theadaptive-security device 108. For example, the adaptive-security device108 may be communicatively coupled to the network 148 to receive deviceoperation instructions 144 that are determined by the automated responsesubsystem 124. In some embodiments, the adaptive-security device 108itself may perform at least a portion of the functions of the automatedresponse subsystem 124 (described further below and with respect to FIG.2 ) in order to determine the device operation instructions 144 andadjust operation of the adaptive-security device 108 in response to adetected event 136.

The computing device 120 is generally any computing device, such as acomputer, that is operated in space 102 by certain authorized users. Forexample, if the space 102 is a store, computing device 120 may be akiosk or cash register operated by person 118 who may be an employee ofthe store (e.g., an individual with authorization, via appropriate logincredentials or the like, to use computing device 120). As describedfurther below and with respect to FIG. 2 , one or more alerts 140generated by the automated response subsystem 124 may be provided forpresentation on the computing device 120. For example, an alert 140 maynotify authorized person 118 of a detected event 136 in the space 102.The computing device 120 may be implemented using the processor, memory,interface, and display of the device 800 described with respect to FIG.8 below.

The tracking device 122 is generally any device operable to track aphysical position 152 of the device 116 of the person 114 indicated as apotential bad actor 150. In the example of FIG. 1 , the bad actor 150 isperson 114. The tracking device 122 may send and receive communicationsignals 134 with the device 116 of the person 114 identified as the badactor 150 in order to identify the bad actor 150 and/or track a position152 of the bad actor 150 in the space. In some embodiments, theautomated response subsystem 124 detects an event 136 (e.g., related tocompromised security in the space 102) and provides trackinginstructions 142 to identify and/or track the bad actor 150. Forexample, the tracking device 122 may be communicatively coupled to thenetwork 148 to receive tracking instructions 142 that are determined bythe automated response subsystem 124. In some embodiments, the trackingdevice 122 itself may perform at least a portion of the functions of theautomated response subsystem 124 (described further below and withrespect to FIG. 2 ) in order to determine the tracking instructions 142.Further details and examples of the operation of the tracking device 122and its hardware components are provided below with respect to FIGS. 3and 4 .

The automated response subsystem 124 may be a device or collection ofdevices (e.g., implemented as a server) operable to detect a security-or health-compromising event 136 and provide an automatic responsetailored to the detected event 136. The event 136 may correspond to anunauthorized activity, such that detection of an event 136 is the sameas detecting an unauthorized activity performed in the space 102.Further details and examples of the operation of automated responsesubsystem 124 are provided below with respect to FIG. 2 . The automatedresponse subsystem 124 includes a processor 162 and a memory 164. Thememory 164 includes any logic, instructions, code, and/or rules forimplementing the functions of the automated response subsystem 124 usingthe processor 162.

The processor 162 comprises one or more processors. The processor 162 isany electronic circuitry including, but not limited to, state machines,one or more central processing unit (CPU) chips, logic units, cores(e.g. a multi-core processor), field-programmable gate array (FPGAs),application specific integrated circuits (ASICs), or digital signalprocessors (DSPs). The processor 162 may be a programmable logic device,a microcontroller, a microprocessor, or any suitable combination of thepreceding. The processor 162 is communicatively coupled to and in signalcommunication with the memory 164. The one or more processors areconfigured to process data and may be implemented in hardware and/orsoftware. For example, the processor 162 may be 8-bit, 16-bit, 32-bit,64-bit or of any other suitable architecture. The processor 162 mayinclude an arithmetic logic unit (ALU) for performing arithmetic andlogic operations, processor registers that supply operands to the ALUand store the results of ALU operations, and a control unit that fetchesinstructions from memory 164 and executes them by directing thecoordinated operations of the ALU, registers and other components. In anembodiment, the function of the automated response subsystem 124described herein is implemented using logic units, FPGAs, ASICs, DSPs,or any other suitable hardware or electronic circuitry.

The memory 164 is operable to store any data, instructions, logic,rules, or code operable to execute the functions of the automatedresponse subsystem 124. The memory 164 comprises one or more disks, tapedrives, or solid-state drives, and may be used as an over-flow datastorage device, to store programs when such programs are selected forexecution, and to store instructions and data that are read duringprogram execution. The memory 164 may be volatile or non-volatile andmay comprise read-only memory (ROM), random-access memory (RAM), ternarycontent-addressable memory (TCAM), dynamic random-access memory (DRAM),and static random-access memory (SRAM).

The automated response subsystem 124 generally uses sensor data 126 fromthe sensors 104 in the space 102 to detect an event 136 and determinesan appropriate tailored response (e.g., sending an alert 140 and/orinstructions 142, 144) for the detected event 136. To accomplish this,the automated response subsystem 124 determines feature values 128 a-cusing the sensor data 126. The feature values 128 a-c may be a measureof (or a measure of a change in) a property of persons 110, 114, 118 inthe space 102 (e.g., a change from an initial or baseline property). Forexample, feature values 128 a-c may correspond to movement speed of aperson 110, 114, 118, acceleration of a person 110, 114, 118, posture ofa person 110, 114, 118, presented height of a person 110, 114, 118,vital signs of a person 110, 114, 118, biometric characteristics of aperson 110, 114, 118, or changes in these properties. In someembodiments, at least certain feature values 128 a-c do not correspondto a specific observable property of a person 110, 114, 118 or the space102. Instead, one or more feature values 128 a-c may be quantitativevalues determined using a machine learning or artificial intelligencealgorithm 152 that is trained to detect particular event types (e.g.,associated with compromised safety and/or health of people 110, 114, 118in the space 102). The algorithm may be developed by training theautomated response subsystem 124 during an initial period when people110, 114, 118 in the space 102 are actors behaving in a predefinedmanner associated with expected ‘normal’ events in the space 102 usingthe baseline data 158. The baseline data 158 includes sensor data 126collected during this initial training time. One or more test scenariosmay then be performed in the space 102 in which the people 110, 114, 118behave in a manner to simulate possible events 136, such as by movingrapidly, lying on the floor, falling down, or the like to generate testscenario data 160. The test scenario data 160 may also be used to trainthe machine learning algorithm 152 to determine feature values 128 a-cthat are most relevant to determining detected events 136. The trainingscenario data 160 includes sensor data 126 collected when one or moretraining scenarios are in progress. Any number of feature values 128 a-cmay be determined as appropriate for a given application.

The feature values 128 a-c are compared, individually or in anyappropriate combination, to threshold values 130 in order to determineevent scores 132 a-c. Each event score 132 a-c corresponds to aprobability that a given event type has occurred. For example, a firstevent score 132 a may correspond to the probability that asecurity-compromising event occurred (e.g., if a person 110, 114, 118behaves erratically by moving or accelerating rapidly, if the biometriccharacteristics of the person 110, 114, 118 suddenly change, or thelike). Meanwhile, a second event score 132 b may correspond to theprobability that a health event 136 has occurred (e.g., if a person 110,114, 118 falls to the ground, has a change in biometric characteristics,or the like). The event scores 132 a-c are used to determine one or moredetected events 136. For example, an event 136 for a given event score132 a-c may be detected if the event score 132 a-c is greater than athreshold value (e.g., a threshold 130 and/or 156)). In some cases, anevent 136 may be detected using a combination of two or more of theevent scores 132 a-c. For example, a machine learning algorithm 152 maybe trained using the baseline data 158 and training scenario data 160,as described above, to determine detected events 136 based on acombination of multiple event scores 132 a-c.

The automated response subsystem 124 then determines if the event scores132 a-c (e.g., used to arrive at the detected event 136) satisfyresponse criteria 138 for initiating an automatic response, for example,by providing an alert 140, generating and providing trackinginstructions 142 to the tracking device 122, and/or generating andproviding device operation instructions 144 to the adaptive-securitydevice 108. The response criteria 138 may be stored in the memory 162 ofthe automated response subsystem 124. The response criteria 138 mayinclude, for each known response type 154 (e.g., related to respondingappropriately to different security and/or health compromisingsituations), a corresponding threshold value 156 for one or more of theevent scores 132 a-c. The response criteria 138 may require that atleast one event score 132 a-c is greater than a threshold value 156 fora corresponding response type 154. In some embodiments, the responsecriteria 138 may require that two or more event scores 132 a-c aregreater than a threshold value 156 for a response type 154. The responsecriteria 138 may include, for each known response type 154 (e.g.,related to responding appropriately to different security and/or healthcompromising situations), a corresponding threshold value 156 for one ormore of the event scores 132 a-c. In some cases, in order for a givenresponse criteria 138 to be satisfied, each of the thresholds 156 for agiven response type 154 must be met.

A range of responses may be automatically initiated by the automatedresponse subsystem 124, as illustrated by the various examples of thisdisclosure. For instance, if the event scores 132 a-c satisfy responsecriteria 138 for a high-level response, the automated response subsystem124 may generate an alert 140 requesting ais from a security entity 146(e.g., if security or health-provider personnel should be requested inresponse to the detected event 136). The alert 140 is then provided tothe security entity 146. As another example, an alert 140 may be sent toa mobile device 112 of person 110 or the device 120 operated by person118 if appropriate response criteria 138 are satisfied, as describedwith respect to the examples below. In some embodiments, a particularperson (e.g., person 114) may be determined as a potential bad actor 150associated with the detected event 136, and the automated responsesubsystem 124 may generate tracking instructions 142 for tracking thebad actor (e.g., moving along positions 152 illustrated in FIG. 1 ). Insome embodiments, the detected event 136 is determined to be associatedwith (e.g., within a threshold distance of) an adaptive-security device108, and the automated response subsystem 124 may generate deviceoperation instructions 144 for improving the security of informationand/or services provided by the adaptive-security device 108.

As further examples, in some cases, the first feature value 128 acorresponds to a measure of a rate of movement of person 114. Theautomated response subsystem 124 determines an event score 132 a bycomparing the rate of movement (feature value 128 a) to a thresholdmovement speed included in thresholds 130 and determining that the rateof movement is greater than the threshold movement speed by an amount.The determined event score 132 a may be determined based on the amountthat the rate of movement is greater than the threshold movement speed(e.g., the event score 132 a may be proportional the amount that themovement speed feature value 128 a exceeds the threshold movement speedvalue 130). As another example, another feature value 128 b maycorrespond to an amount of change in the biometric characteristics ofanother person interacting 110, 118 that is interacting with person 114.For example, another person 110, 118 may be determined to be interactingwith person 114 if the other person 110, 118 is within a thresholddistance of person 114 and/or is facing person 114. Another event score132 b may be determined based on both feature value 128 a and 128 b. Forexample, the automated response subsystem 124 may determine a featurevalue 128 b corresponding to a change in the biometric characteristicsof the other person 110 118 during an interaction with person 114 anddetermine that the change in biometric feature value 128 b is greaterthan a threshold value 130 by a given amount. The event score 132 b maybe determined based on the amount that the change in biometric featurevalue 128 b is greater than the threshold value.

The security entity 146 may be an entity tasked with responding to atleast a certain subset of detected events 136. Examples of securityentity 146 include a police office, a fire department, an emergencyresponse unit, or the like. The security entity 146 may be incommunication with the automated response subsystem 124 (e.g., vianetwork 148) to receive alerts 140. Alerts 140 sent to the securityentity 146 may include a request for some action, such as for securityand/or health-related response personnel to travel to the space 102. Analert 140 may include an indication of the type of the detected event136, such that an appropriate response can be more efficiently providedby the security entity 146 than was possible using previous technologythat provided only a generic alarm. For example, alert 140 may (1)indicate the person 114 identified as the bad actor 150 (e.g., a report330 may be provided with the alert 140, as described further below withrespect to FIGS. 3 and 4 ), (2) identify a location (e.g., trackedposition 318 of FIG. 3 ) associated with the detected event 136, (3)identify persons 110, 118 impacted by the detected event 136, andcombinations of these.

The network 148 facilitates communication between and amongst thevarious components of the system 100. This disclosure contemplatesnetwork 148 being any suitable network operable to facilitatecommunication between the components of the system 100. Network 148 mayinclude any interconnecting system capable of transmitting audio, video,signals, data, messages, or any combination of the preceding. Network148 may include all or a portion of a public switched telephone network(PSTN), a public or private data network, a local area network (LAN), ametropolitan area network (MAN), a wide area network (WAN), a local,regional, or global communication or computer network, such as theInternet, a wireline or wireless network, an enterprise intranet, or anyother suitable communication link, including combinations thereof,operable to facilitate communication between the components.

In an example operation of the system 100, the system 100 detects andresponds to a potential security-compromising event 136. In thisexample, person 114 enters the space 102 and behaves in a mannerassociated with a potential security-compromising event 136. The sensors104 provide sensor data 126 to the automated response subsystem 124. Theautomated response subsystem 124 uses the sensor data 126 to determinefeature values 128 a-c associated with the person 114 in the space 102.For example, a first feature value 128 a may be a rate of movement (or achange in the rate of movement) of the person 114, a second featurevalue 128 b may be a biometric characteristic (or a change in abiometric characteristic) of the person 114, and a third feature value128 c may be a presented height or posture (or a change in this heightor posture) of the person 114. Event scores 132 a-c may be determined bycomparing the feature values 128 a-c to thresholds 130. If a featurevalue 128 a-c is greater than a threshold value 130, the probabilitythat a particular event is occurring (i.e., an event score 132 a-c) maybe increased. For example, if the person 114 suddenly begins running,moving rapidly, or moving according to certain patterns in the space102, the person 114 may be more likely to be taking part in asecurity-compromising activity (or fleeing from one). The biometriccharacteristic(s) of the person 114 may similarly be indicative of theoccurrence of a security-compromising event 136. The automated responsesubsystem 124 then determines if event scores 132 a-c indicate that asecurity-compromising event 136 is detected.

One or more response may be automatically initiated in response to thisexample security-compromising event 136, as described in the following.As an example, an alert 140 may be generated and provided to thesecurity entity 146 to request a security response to the event 136. Assuch, security in space 102 can be improved by alerting security entity146 to the event 136 without requiring a person 110 or 118 to take anyaction (e.g., sounding an alarm) which might be recognized by thepotential bad actor 150. As another example response to this examplesecurity-compromising event 136, the automated response subsystem 124may send alert 140 to person 110 to check on the security state orwellness of the person 110 or the space 102. For example, the alert 140may instruct person 110 and/or 118 to evacuate the space 102.

As yet another example response to this example security-compromisingevent 136, the automated response subsystem 124 may generate trackinginstructions 142 indicating the bad actor 150 who should be tracked bythe tracking device 122. For example, the tracking instructions 142 mayindicate an initial position of the bad actor 150 (see FIG. 3 ). Thetracking device 122 may receive these tracking instructions 142 and usethem to detect a mobile device 116 operated by the potential bad actor150, who is person 114 in this illustrative example. The tracking device122 may send and receive communications 134 from the mobile device 116to track a physical position 152 of the person 114 in the space 102.Further details and examples of tracking a person, such as person 114,are described below with respect to FIGS. 3 and 4 .

As a further example response to this example security-compromisingevent 136, the automated response subsystem 124 may generate deviceoperation instructions 144 for adjusting the information and/or servicesprovided by the adaptive-security device 108. For example, if thedetected event 136 is determined to be associated with (e.g., within athreshold distance of) the adaptive-security device 108, the automatedresponse subsystem 124 may determine that operation of device 108 shouldbe adjusted for improved security. The device operation instructions 144may cause the adaptive-security device 108 to require increasedauthentication credentials (e.g., multi-factor authentication), mayprevent display of certain information, and/or may reduce or eliminateservices provided by the adaptive-security device 108. For example, ifthe adaptive-security device 108 is an ATM machine, the device operatinginstructions 144 may (1) require users to provide a multi-factorauthentication to access account information, (2) prevent display ofaccount balances, and/or (3) prevent or limit the amount of funds thatcan be withdrawn from the ATM machine. Further details and examples ofadjusting operation of the adaptive-security device 108 are describedbelow with respect to FIGS. 5 and 6 .

In another example operation of the system 100, the system 100 detectsand responds to a potential health-compromising event 136. In thisexample, person 110 is undergoing a health-compromising event 136 in thespace 102 (e.g., undergoing cardia arrest). Feature values 128 a-c forthe person 110 determined from sensor data 126 may be indicative of sucha health event. For example, feature values 128 a-c associated withbiometric characteristics and other vital signs may be indicative ofcompromised health of the person 114. Similarly, feature values 128 a-cassociated with the posture or the presented height of the person 114may indicate the person 110 has fallen to the floor (e.g., if thepresented height of person 114 suddenly decreases).

One or more response may be automatically initiated in response to thisexample health-compromising event 136, as described in the following. Asan example response, an alert 140 may be generated and provided to thesecurity entity 146 to request health-related services. As such,security of person 110 in space 102 can be improved by alerting securityentity 146 to the event 136 without requiring the person 114 to provideany communication or another person 114, 118 to notice and respond tothe health-compromising event 136. As another example response to thisexample health-compromising event 136, the automated response subsystem124 may send alert 140 to person 110 to check on the person's healthand/or an alert 140 to the device 120 operated by person 118 to informthe local person 118 of the event 136, such that action may be takenimmediately if possible/appropriate.

In yet another example operation of the system 100, the system 100detects and responds to another potential security-compromising event136. In this example, the event 136 is detected based on feature values128 a-c of a person 110, 118 on which the event may be being perpetrated(e.g., by person 114). For example, the automated response subsystem 124may determine that feature values 128 a-c associated with distress ordiscomfort of a person 110, 118 increase above a threshold value 130when the person 110, 118 interacts with person 114 in the space 102. Forexample, the automated response subsystem 124 may determine that thebiometric characteristic(s) or vital sign quantity of a person 110, 118increases above a threshold value 130 when the person 110, 118 interactswith person 114. A machine learning algorithm 152 may be trained (e.g.,using baseline data 158 and training scenario data 160 as describedabove) to determine feature values 128 a-c indicative of compromisedsafety. Once the security-compromising event 136 is detected, the sameor similar responses may be automatically implemented, as describedabove with respect to the other example security-compromising event 136(e.g., by providing alert(s) 140, tracking instructions 142 to trackperson 114, and/or device operation instructions 144 to improve securityof device 108).

Example Method of Automatic Event Detection and Response

FIG. 2 is a flowchart of an example method 200 for operating theautomated response subsystem 124 of FIG. 1 . The method 200 improvessecurity technology used for event detection and response determined,for a detected event 136, an appropriately tailored response, such asproviding an alert 140 and instructions 142, 144 for tracking bad actor150 and/or adjusting local device 108 operation to improve security ofinformation, services, and individuals. These technical improvementsfacilitate increased safety of information, services, and people 110,114, 118 in the space 102.

The method 200 may begin with initial steps 202-206 during which theautomated response subsystem 124 is trained for event detection andresponse determination 136. The method 200 may be performed by theautomated response subsystem 124 (e.g., by the processor 162 of theautomated response subsystem 124). For example, at step 202 sensor data126 may be received during an initial period of time. During the initialperiod of time, people 110, 114, 118 in the space 102 may be behaving ina predefined manner associated with expected ‘normal’ events in thespace 102 (e.g., to determine baseline data 158). During another periodof time, the automated response subsystem 124 may record sensor data 126during one or more test or training scenarios at step 204 (e.g., todetermine testing scenario data 160). During the test or trainingscenarios, the people 110, 114, 118 behave in a manner to simulatepossible events 136 (e.g., by moving rapidly, lying on the floor,falling down, etc.), such as security-compromising events,health-compromising events, and the like. At step 206, the automatedresponse subsystem 124 is trained using the sensor data 126 from‘normal’ scenarios from step 202 and for simulated events from step 204.For example, a machine learning algorithm 152 of the automated responsesubsystem 124 may be trained to determine feature values 128 a-c (e.g.,whether a value corresponding to a particular measure, such as movementspeed, biometric characteristics, or the like or a value establishedthrough training of a machine learning algorithm 152 to identify events136) appropriate for determining a detected event 136.

At step 208, the automated response subsystem 124 receives sensor data126 from one or more sensors 104 distributed about the space 102. Asdescribed above with respect to FIG. 1 , the sensor data 126 may includeany information collected by the sensors 104 distributed about the space102. The sensor data 126 may be indicative of properties of the space102 (e.g., an amount of movement in the space 102 a number of peoplepresent in the space 102, etc.) and/or the people 110, 114, 118 in thespace 102 (e.g., movement, acceleration, posture, height, and/orbiometric features of the people 110, 114, 118).

At step 210, the automated response subsystem 124 determines featurevalues 128 a-c using the sensor data 126. The feature values 128 a-c maybe measures of characteristics of people 110, 114, 118 in the space 102(e.g., their movement speed, biometric characteristics, etc.) or may beidentified by training at step 206 to detect events 136. For example, afirst feature value 128 a may be a rate of movement (or a change in therate of movement) of the person 110, 114, 118, a second feature value128 b may be a biometric characteristic (or a change in biometriccharacteristic) of the person 110, 114, 118, and a third feature value128 c may be a vital sign quantity (or a change in the vital signquantity) of the person 110, 114, 118.

At step 212, the automated response subsystem 124 determines eventscores 132 a-c using the features values 128 a-c. Each event score 132a-c corresponds to a probability that a given event type has occurred.For example, a first event score 132 a may correspond to the probabilitythat a security-compromising event occurred (e.g., if a person 110, 114,118 behaves erratically by moving or accelerating rapidly, if thebiometric characteristic or vital sign quantity of the person 110, 114,118 suddenly changes, if the biometric characteristic of othersinteracting with the person 110, 114, 118 suddenly changes, or thelike). Meanwhile, a second event score 132 b may correspond to theprobability that a health-related event 136 has occurred (e.g., if aperson 110, 114, 118 falls to the ground, has an increased biometriccharacteristic, or the like). In some cases, an event score 132 a-c maybe determined using a machine learning algorithm 152 (e.g., trainedaccording to steps 202-206). In some embodiments, the automated responsesubsystem 124 may employ a machine learning algorithm 152 (e.g., trainedaccording to steps 202-206) to determine the feature scores 128 a-c andevent scores 132 a-c in a single step. For example, the automatedresponse subsystem 124 may execute a machine learning algorithm 152 thatdetermines features values 128 a-c and/or event scores 132 a-c as anoutput using the sensor data 126 as an input.

At step 214, the automated response subsystem 124 determines whether anycombination of one or more event scores 132 a-c satisfies responsecriteria 138 for initiating an automatic response. If no responsecriteria 138 is satisfied, the method 200 may end (e.g., because noevent 136 is detected). However, if at least one response criteria 138is satisfied, the automated response subsystem 124 may proceed to step216 and determine that an event 136 is detected.

At step 218, the automated response subsystem 124 determines whether aparticular individual (e.g., one of people 110, 114, 118 of FIG. 1 ) isassociated with the detected event 136. For example, if person 110 issuspected of being impacted by a security-compromising event 136 or ahealth-compromising event 136, the automated response subsystem 124 maydetermine that person 110 is associated with the detected event 136. Forexample, if a person 110, 114, 118 is within a threshold distance atwhich the event 136 is determined to have occurred in the space 102, theautomated response subsystem 124 may determine that the person 110, 114,118 is associated with the detected event 136. If a person 110, 114, 118is determined to be is associated with the detected event 136, theautomated response subsystem 124 may proceed to step 220 and provide analert 140 to the person 110, 114, 118. For example, an alert 140provided to the person 110, 114, 118 (e.g., to a device 112, 116, 120operated by the person 110, 114, 118) may indicate that a possible event136 has been detected, provide instructions for exiting the space 102,and/or provide a request to confirm whether the health and/or safety ofthe person 110, 114, 118 is satisfactory.

At step 222, the automated response subsystem 124 determines whether abad actor 150 is detected associated with the event 136. For example,the automated response subsystem 124 may determine that the featurevalues 128 a-c and/or event scores 132 a-c indicate that a particularperson 110, 114, 118 has performed or is performing an unauthorized orsecurity-comprising activity. For instance, as described with respect tothe examples above, if the rate of movement and/or biometriccharacteristic of person 114 increases suddenly in the space 102 and asecurity-compromising event 136 is detected (at step 216), person 114may be identified as the bad actor 150 for the event 136. As anotherexample, if other people 110, 118 display a characteristic response whennear person 114 (e.g., move in order to evade person 114, displayincreased or changed biometric characteristic or vital sign quantity inthe presence of person 114), the automated response subsystem 124 mayidentify the person 114 as the bad actor 150. If a bad actor 150 isidentified at step 222, the automated response subsystem 124 may proceedto step 224 and provide tracking instructions 142 for identifying and/ortracking the bad actor 150. The tracking instructions 142 generallyinclude a position 152 of the bad actor 150 in the space 102 (e.g.,initial position 312 of FIG. 3 ) and characteristics of the bad actor150, such as physical characteristics, biometric characteristics, or anyother characteristics measurable by sensors 104 (e.g., event properties314 of FIG. 3 ). The tracking instructions 142 generally provideinformation needed to identify the device 116 of the person 114corresponding to the bad actor 150, such that further identificationand/or tracking actions may be performed (see FIGS. 3 and 4 andcorresponding description below). A tracking device 122 may use thetracking instructions 142 to identify and/or track the bad actor 150, asdescribed in the examples above and with respect to FIGS. 3 and 4 below.In some embodiments, the automated response subsystem 124 may performone or more of the functions of the tracking device 122 (e.g., such thatone or more steps of method 400 of FIG. 4 may be performed by theautomated response subsystem 124).

At step 226, the automated response subsystem 124 determines whether aservice-providing device 108 that is configured for adaptive securityoperation is associated with the detected event 136 from step 216. Forexample, the automated response subsystem 124 may determine that thefeature values 128 a-c and/or event scores 132 a-c indicate that theadaptive-security device 108 of FIG. 1 is associated with the detectedevent 136. For instance, as described with respect to the examplesabove, if the detected event 136 is detected within a threshold distanceof the adaptive-security device 108, the automated response subsystem124 may determine that the service-providing device 108 is associatedwith the detected event 136. As another example, if the detected event136 is determined from sensor data 126 from a sensor 104 located on ornear the adaptive-security device 108, the automated response subsystem124 may determine that the service-providing device 108 is associatedwith the detected event 136. If this criteria of step 226 is satisfied,the automated response subsystem 124 proceeds to step 228 to providedevice operation instructions 144 to the adaptive-security device 108.The adaptive-security device 108 may use the device operationinstructions 144 to adjust operation of the adaptive-security device 108to provide improved security of a person 110 operating theadaptive-security device 108, information presented by theadaptive-security device 108, and/or services provided by theadaptive-security device 108, as described in the examples above andwith respect to FIGS. 5 and 6 below.

At step 230, the automated response subsystem 124 determines whether thecombination of event scores 132 a-c determined at step 212 satisfyresponse criteria 138 for initiating a “high level” response. Forexample, if the event scores 132 a-c indicate that there is a greaterthan a threshold 156 probability that the security and/or health of aperson 110, 114, 118 in the space 108 is compromised, the automatedresponse subsystem 124 may determine that the high level responsecriteria 138 are satisfied. If the criteria 138 of step 230 aresatisfied, the automated response subsystem 124 proceeds to step 232 andprovides an alert 140 to the security entity 146. The alert 140 mayinclude an indication of characteristics of the detected event 136,including, for example, a suspected type of security and/or health event136, a possible identity, age, and/or other properties of persons 110,114, 118 involved in the event 136. As such, the alert 140 may includeinformation that could not be obtained using previous security systems,thereby improving security technology used to secure information,services, and the people 110, 114, 118 within the space 102.

If the criteria 138 of step 230 are not satisfied, an alert 140 mayinstead be provided locally, such as to the device 120 operated withinthe space 102. Alert 140 may inform an authorized person 118 (e.g., anemployee working in the space 102, a local security agent, or the like)about the possible lower level detected event 136. This allows theperson 118 to investigate and provide any appropriate action(s). Assuch, the automated response subsystem 124 and method 200 may alsoprevent “false alarm” type alerts from being provided to the securityentity 146, thereby providing a further improvement to securitytechnology.

Example Operation of a Tracking Device

FIG. 3 is a flow diagram 300 illustrating operation of an exampletracking device 122 of FIG. 1 in greater detail. As described above, thetracking device 122 aids in identifying and/or tracking a potential badactor 150 (e.g., detected by the automated response subsystem 124,described above). The tracking device 122 may receive trackinginstructions 142, which cause the tracking device 122 to beginperforming functions to identify and/or track a bad actor 150. Asdescribed above, in some embodiments, one or more functions of theautomated response subsystem 124 are performed by the tracking device122. For example, the tracking device 122 may perform at least thesubset of functions of the automated response subsystem 124 to determinethe tracking instructions 142.

The tracking device 122 includes a processor 334 and a memory 336. Thememory 336 includes any logic, instructions, code, and/or rules forimplementing the functions of the tracking device 122 using theprocessor 334. The processor 334 comprises one or more processors. Theprocessor 334 is any electronic circuitry including, but not limited to,state machines, one or more central processing unit (CPU) chips, logicunits, cores (e.g. a multi-core processor), field-programmable gatearray (FPGAs), application specific integrated circuits (ASICs), ordigital signal processors (DSPs). The processor 334 may be aprogrammable logic device, a microcontroller, a microprocessor, or anysuitable combination of the preceding. The processor 334 iscommunicatively coupled to and in signal communication with the memory336. The one or more processors are configured to process data and maybe implemented in hardware and/or software. For example, the processor334 may be 8-bit, 16-bit, 32-bit, 64-bit or of any other suitablearchitecture. The processor 334 may include an arithmetic logic unit(ALU) for performing arithmetic and logic operations, processorregisters that supply operands to the ALU and store the results of ALUoperations, and a control unit that fetches instructions from memory 336and executes them by directing the coordinated operations of the ALU,registers and other components. In an embodiment, the function of thetracking device 122 described herein is implemented using logic units,FPGAs, ASICs, DSPs, or any other suitable hardware or electroniccircuitry.

The memory 336 is operable to store any data, instructions, logic,rules, or code operable to execute the functions of the tracking device122. The memory 336 comprises one or more disks, tape drives, orsolid-state drives, and may be used as an over-flow data storage device,to store programs when such programs are selected for execution, and tostore instructions and data that are read during program execution. Thememory 336 may be volatile or non-volatile and may comprise read-onlymemory (ROM), random-access memory (RAM), ternary content-addressablememory (TCAM), dynamic random-access memory (DRAM), and staticrandom-access memory (SRAM).

After being received, the tracking instructions 142 may be stored in thememory 336 of the tracking system 122. The tracking instructions 142include an indication of the bad actor 150, an initial position 312 ofthe bad actor 150, and event properties 314. For example, the trackinginstructions 142 may identify person 114 as the bad actor 150. Theinitial position 312 is generally a location within the space 102 wherethe tracking device 122 should seek to locate the device 116 of theperson 114 identified as the bad actor 150. For example, the initialposition 312 may correspond to a position 152 of the person 114 at thetime when the detected event 136 is determined. The event properties 314include other characteristics of the detected event 136, such as thetype of the detected event 136, other people 110, 118 in the space 102that may be impacted by the bad actor 150 a and/or the detected event136, and the like. The event properties 312 may include at least aportion of the feature values 128 a-c and/or the event scores 132 a-cdetermined by the automated response subsystem 124. The tracking device122 may use the event properties 314 to aid in identifying and/ortracking the bad actor 150 and generating an appropriate report 330 forproviding further response to the detected event 136, as describedfurther below.

The tracking device 122 detects the device 116 operated by the person114 identified as the bad actor 150. For example, the tracking device122 may detect a network-access request 304 from the device 116 toaccess a local network. For example, the device 116 operated by theperson 114 identified as the bad actor 150 may be configured toautomatically send a request 304 to a networking device 306. Thenetworking device 306 may be a wireless network router. The networkingdevice 306 may be implemented using the processor, memory, and interfaceof the device 800 described with respect to FIG. 8 below. The trackingdevice 122 may monitor such requests 304, for example, by continuouslyor intermittently obtaining and reviewing a network request log 308 fromthe networking device 306. The tracking device 122 may detect the device116 (e.g., such that query/response communications 134 can be sent andreceived) based on the network request log 308. For example, thetracking device 122 may detect a device 116 requesting access to thenetworking device 306 at the initial position 312 provided in thetracking instructions 142. As described further below, the trackingdevice 122 may use the network request log 308 to determine identifyinginformation from the device 116, such as the IP address 324 of thedevice 116 and/or a device or user identifier 326 associated with thedevice 116. This information may aid in identifying (e.g., by name) theperson 114 identified as the bad actor 150, thereby improving thesecurity technology used to track and identify bad actors 150.

In some embodiments, the tracking device 122 detects the device 116 ofthe person 114 identified as the bad actor 150 based on one or moreother communication signals 310 output by the device 116. For example,the device may output a signal 310 corresponding to an NFC communicationsignal, a Bluetooth signal, and/or any other type of wirelesscommunication signal. As an example, the tracking device 122 may detectdevice 116 if the communication signal 310 is received from a locationcorresponding to the initial position 312 provided in the trackinginstructions 142. As described further below, the communication signal310 may include identifying information of the device 116 and/or person114, such as a device identifier 326, which can be included in report330 to more effectively respond to the detected event 136 and/oridentify the bad actor 150.

The tracking device 122 may implement tracking instructions 316 (e.g.,stored in the memory 336) to determine a tracked position 318corresponding to the physical location 152 of the person 114 identifiedas the bad actor 150 over time in the space 102 and/or identificationinstructions 320 to determine additional information which may be usefulfor further identifying the person 114 believed to be the bad actor 150.The tracking instructions 316 and/or identification instructions 320 maybe stored in the memory 336 and implemented using the processor 334 ofthe tracking device 122.

The tracking instructions 316, when implemented by the processor 334,may use sensor data 126 and/or query/response communications 134determine the tracked position 318 of the person 114 in the space 102.The tracked position 318 corresponds to the physical position orlocation 152 of the person 114 in the space 102 over time. For example,once the device 116 is detected, the tracking device 122 may usequery/response communications 134 to track the position 152 of thedevice 116 in the space 102. For instance, over a period of time 302,the tracking device 122 may send queries 134 a to the device 116 andreceive corresponding responses 134 b from the device 116. The trackinginstructions 316 are used to determine, based on the sent queries 134 aand the received responses 134 b from the device 116, positions 152 ofthe device 116 within the space 102 over the period of time 302. Forexample, during a first portion of the period of time 302, the trackinginstructions 316 may be used to determine tracked positions 318corresponding to positions 152 a illustrated for the movement of person114 in FIG. 3 . Subsequently, during a second portion of the period oftime 302, the tracking instructions 316 may be used to determine trackedpositions 318 corresponding to positions 152 b illustrated for thefurther movement of person 114. This process may be repeated until theperson 114 exits the space 102.

The identification instructions 320, when executed, cause the processor334 to determine further identifying information for the person 114identified as the bad actor 150 and/or the device 116 operated by thisperson 114. For example, as described briefly above, the identificationinstructions 320 may cause the processor 334 to use the network requestlog 308 and/or other device communication signals 310 to determine theIP address 324 of the device 116 and/or a device or user identifier 326associated with the device 116. For example, the network request log 308may include an entry that indicates the IP address 324 of the device 116requesting network access. Similarly, a communication signal 310 mayinclude an identifier 326 of the device 116 sending the signal 310. Thisinformation may be included in the report 330, described further below.

The identification instructions 320, when executed, may further causethe processor 334 to obtain an image 328 of the person 114 identified asthe bad actor 150. For example, the tracking device 122 may receive animage 322 of at least a portion of the space 102. For example, image 322may be received from one of the sensors 104 located in space 102, wherethe sensor 104 is a camera. The identification instructions 320 may beused to determine a portion 328 of the image 322 that includes person114. For example, the identification instructions 320 may be used todetermine an image portion 328 that corresponds to an area around theinitial position 312 and/or the physical position 152 of the person 114in the space 102 at the time the image 322 was recorded. The imageportion 328 that includes person 114 may be included in the report 330,as described further below.

The tracking device 122 generates a report 330 that includes collectedinformation about the person 114 determined to the bad actor 150. Thereport 330 generally includes the tracked position 318 of the person 114and/or any other identifying information determined using theidentification instructions 320, such as the IP address 324 of thedevice 116, the device identifier 326 of device 116, the image 328 ofperson 114, and the like. The report 330 may be provided to the securityentity 148, described with respect to FIG. 1 above. For instance, basedon the event properties 314, the tracking device 122 may determinewhether the detected event 136 satisfies criteria 138 for providing thereport 330 to the security entity 148. For instance, if the eventproperties 318 indicate that there was greater than a thresholdprobability (e.g., a threshold 826 of FIG. 8 ) that the bad actor 150engaged in a security-compromising event 136, the report 330 may beautomatically provided to the security entity 148. In some embodiments,the report 330 may be provided to the security entity 148 incoordination with the alert 140 provided by the automated responsesubsystem 124, such that the security entity 148 has quick access to thereport 330 when responding to the detected event 136. This can allow thesecurity entity 148 to have helpful information in accuratelyidentifying the bad actor 150 when responding to the detected event 136.As such, automatic provision of report 330 to the security entity 148provides an improvement to security technology by providing increasedinformation to the security entity 148, such that an appropriate leveland type of response is provided.

In some embodiments, the tracking device 122 associated with space 102is in communication with a collection of tracking devices 332 located inremote locations. For example, the other tracking devices 332 may belocated in other locations to perform substantially the same operationsdescribed for tracking device 122 in order to track people in differentspaces. Each remote tracking device 332 may be configured the same asthe tracking device 122 (e.g., with a corresponding processor 334 andmemory 336 as described above). Tracking device 122 may provide thereport 330 to the other tracking devices 332, such that the person 114identified as the bad actor 150 can be detected in the other spacesmonitored by devices 332. For example, the other tracking devices 332may use the report 330 to detect the presence of the device 116 operatedby person 114 in the various remote locations monitored by trackingdevices 332. This facilitates the tracking of the person 114 identifiedas the bad actor 150 across multiple locations, thereby furtherimproving security-related technology used for tracking potential badactors 150.

FIG. 4 is a flowchart of an example method 400 for operating thetracking device 122 of FIGS. 1 and 3 . The method 400 generallyfacilitates improved identification and tracking of a potential badactor 150. Method 400 may begin at step 402 where tracking instructions142 are received by the tracking device 122. As described above, thetracking instructions 142 include an indication of the bad actor 150, aninitial position 312 of the bad actor and event properties 314. Forexample, the tracking instructions 142 may identify person 114 as thebad actor 150. The initial position 312 is generally a location withinthe space 102 where the tracking device 122 should seek to locate thedevice 116 of the person 114 identified as the bad actor 150. Forexample, the initial position 312 may correspond to a position 152 ofthe person 114 at the time when the detected event 136 is determined.The event properties 314 include other characteristics of the detectedevent 136, such as the type of the detected event 136, other people 110,118 in the space 102 that may be impacted by the bad actor 150 and/orthe detected event 136, and the like. In some embodiments, the trackingdevice 122 may perform at least a portion of the functions of theautomated response subsystem 124. For instance, the tracking device 122may perform at least the set of functions used to determine the trackinginstructions 142, as described with respect to FIGS. 1 and 2 above. Assuch, the method 400 of FIG. 4 may incorporate one or more steps fromthe method 200 of FIG. 2 described above.

At step 404, the tracking device 122 attempts to detect the device 116of the person 114 identified as the bad actor 150 and determines whetherthe device 116 is successfully detected. As described above, thetracking device 122 may detect the device 116 using information from thetracking instructions 142. For example, the tracking device 122 maydetect the device 116 that is sending a request 304 for network accessand/or other communications 310 from the initial position 312 indicatedin the tracking instructions 142. If the device 116 is not detected,method 400 ends. Otherwise, if the device 116 is detected, the trackingdevice 122 proceeds to step 406.

At step 406, the tracking device 122 determines if the detected device116 is requesting access to a local network. For example, the trackingdevice 122 may determine whether the device 116 has sent or is sending anetwork-access request 304 to networking device 306 (e.g., using thenetwork request log 308, described above). If the device 116 is or hasrequested network access, the tracking device 122 proceeds to step 408.At step 408, the tracking device 122 determines an IP address 324 and/ora device identifier 326 for the device 116. For example, the trackingdevice 122 may identify this information in an entry of the networkrequest log 308 that corresponds to the request 304 from the device 116.If, at step 406, no request 304 for network access is identified, thetracking device 122 proceeds to step 410.

At step 410, the tracking device 122 determines if any communicationsignal 310 is detected from the device 116. For example, the trackingdevice 122 may determine whether the device 116 of the person 114identified as the bad actor 150 is sending an NFC communication signal,a Bluetooth signal, or the like. If the device 116 is transmitting acommunication signal 310, the tracking device 122 proceeds to step 412.At step 412, the tracking device 122 determines a device identifier 326for the device 116 and/or any other information which can be obtainedfrom the communication signal 310. For example, the tracking device 122may determine and record (e.g., in the report 330—see step 420) the typeof communication signal 310 sent by the device 116. This information maybe helpful for tracking the device 116 and/or re-identifying the device116 and/or the person 114 operating the device 116 at a later timeand/or in another location. If, at step 410, no communication signal 310is detected, the tracking device 122 proceeds to step 414.

At steps 414-418, the tracking device uses query/response communications134 to track the physical location 152 of the device 116 in the space inorder to determine the tracked position 318 of the person 114 identifiedas the bad actor 150. In order to facilitate the query/responsecommunication 134, the tracking device 122 may allow the device 116 toconnect to the local network, such that communication is facilitated viathe local network (e.g., using networking device 306 of FIG. 3 as anintermediary if necessary). If the device 116 is sending communicationsignal 310, the query/response communications 134 may be achieved usingthe same communication type as the communication signal 310 (e.g., NFC,Bluetooth, or the like). Generally, any appropriate approach may beemployed to facilitate communication 134 between the tracking device 122and the device 116 of the person 114 identified as the bad actor 150.

At step 414, the tracking device 122 sends a query 134 a. As describedabove, the query 134 a may be sent via a local network or via any formof wireless communication (e.g., the same or different than that used bythe device 116 to transmit communication signal 310). The query 134 amay be configured to cause the device 116 to automatically provide aresponse 134 b. At step 416, the tracking device 122 receives a response134 b to the query 134 a. Steps 414 and 416 may be repeated to obtain aseries of queries 134 a and corresponding responses 134 b.

At step 418, the tracking device 122 determines a tracked position 318of the device 116 based on properties of the query/responsecommunications 134 from steps 414 and 416. For example, the timeintervals and/or directionality of query/response communications 134over time may be used to track the person 114 in the space 102 using anyappropriate tracking method. In some embodiments, the determination ofthe tracked position 118 may be supplemented using sensor data 126. Forinstance, sensor data 126 recorded from particular regions of the space102 may be associated with the person 114 and/or the device 116.

At step 420, the tracking device 122 generates and provides a report 330that includes the tracked position from step 418 and/or any otheridentifying information, such as an IP address 324 and/or deviceidentifier 326 from steps 408 and/or 412. In some embodiments, thereport 330 may further include an image 328 of the person 114 identifiedas the bad actor 150, as described with respect to FIG. 3 above. Thereport 330 may be provided to the security entity 148 and/or to remotetracking devices 332, as described above with respect to FIG. 3 .

Example Operation of an Adaptive-Security Device

FIG. 5 is a flow diagram 500 illustrating operation of theadaptive-security device 108 of FIG. 1 in greater detail. As describedabove, the adaptive-security device 108 is generally any device (e.g.,an ATM, information terminal, or the like) that is configured to provideservices and/or information 510 and is configured to adjust its securityprotocols for improved data security in response to a detected event136. When an event 136 is detected that may compromise security of theadaptive-security device 108, device operation instructions 144 may beprovided to the adaptive-security device 108 that identify securityprotocols to improve security of the adaptive-security device 108. Theadaptive-security device 108 then adjusts authentication protocolsand/or the portion 512 a,b of the information and services 510 that areavailable for access through the adaptive-security device 108 (e.g., byfollowing the “normal operation” or “restricted operation” flow of FIG.5 ). As described above, in some embodiments, one or more functions ofthe automated response subsystem 124 are performed by theadaptive-security device 108. For example, the adaptive-security device108 may perform at least the subset of functions of the automatedresponse subsystem 124 to determine the device operation instructions144.

The adaptive-security device 108 includes a processor 520, memory 522,and display 524. The memory 336 includes any logic, instructions, code,and/or rules for implementing the functions of the adaptive-securitydevice 108 using the processor 520. The processor 520 comprises one ormore processors. The processor 520 is any electronic circuitryincluding, but not limited to, state machines, one or more centralprocessing unit (CPU) chips, logic units, cores (e.g. a multi-coreprocessor), field-programmable gate array (FPGAs), application specificintegrated circuits (ASICs), or digital signal processors (DSPs). Theprocessor 520 may be a programmable logic device, a microcontroller, amicroprocessor, or any suitable combination of the preceding. Theprocessor 520 is communicatively coupled to and in signal communicationwith the memory 522. The one or more processors are configured toprocess data and may be implemented in hardware and/or software. Forexample, the processor 520 may be 8-bit, 16-bit, 32-bit, 64-bit or ofany other suitable architecture. The processor 520 may include anarithmetic logic unit (ALU) for performing arithmetic and logicoperations, processor registers that supply operands to the ALU andstore the results of ALU operations, and a control unit that fetchesinstructions from memory 522 and executes them by directing thecoordinated operations of the ALU, registers and other components. In anembodiment, the function of the adaptive-security device 108 describedherein is implemented using logic units, FPGAs, ASICs, DSPs, or anyother suitable hardware or electronic circuitry.

The memory 522 is operable to store any data, instructions, logic,rules, or code operable to execute the functions of theadaptive-security device 108. The memory 522 comprises one or moredisks, tape drives, or solid-state drives, and may be used as anover-flow data storage device, to store programs when such programs areselected for execution, and to store instructions and data that are readduring program execution. The memory 522 may be volatile or non-volatileand may comprise read-only memory (ROM), random-access memory (RAM),ternary content-addressable memory (TCAM), dynamic random-access memory(DRAM), and static random-access memory (SRAM).

The display 524 is generally any appropriate graphical display such as amonitor, touchscreen, or the like. The display 524 may be operable todisplay an alert 140 and/or obfuscated information 526, as describedfurther below.

As illustrated in FIG. 5 , the adaptive-security device 108 is generallyconfigured to provide certain available information and services 510. Inthe example case where the adaptive-security device 108 is an ATMmachine, the ATM device 108 may provide account balance information andcash withdrawal services. The example adaptive-security device 108 ofFIG. 5 includes an authenticator 508 that is operable to determinewhether a user (e.g., person 110 of FIG. 1 ) can access all or a portionof the available information and services 510. For example, duringnormal operation (e.g., before device operation instructions 144 arereceived), the adaptive-security device 108 may receive user credentials502 (e.g., from a person 110 interacting with the adaptive-securitydevice 108) and determine whether the credentials 502 arevalid/authenticated. For example, if the adaptive-security device 108 isan ATM machine, the credentials 502 may be a PIN number.

If the credentials 502 are validated, the user (e.g., person 110 of FIG.1 ) is authenticated to access standard information and services 512 a,according to the “normal operation” flow of FIG. 5 . Generally, theauthenticator 508 may determine the portion of all available informationand services 510 that are included in the standard provided informationand services 512 a (e.g., based on access privileges of a given user).During normal operation (e.g., before receiving device operationinstructions 144), a user will generally have access to all appropriateinformation and services 510 for the user, such that the providedinformation and services 512 a include secure information 514 a andsecure services 516 a. For the example of an ATM device 108, secureinformation 514 a may include account balances, transaction histories,account numbers, and the like. Still referring to this example, thesecure services 516 a may include the withdrawal of cash from the ATMdevice 108.

When the adaptive-security device 108 receives device operationinstructions 144, the adaptive-security device 108 may adjust theportion of the available information and services 510 available and/orthe authentication requirements for accessing information and/orservices 510. For example, if a user is not already accessing secureinformation 514 a when the device operation instructions 144 arereceived, the authenticator 508 may be adjusted to increaseauthentication requirements for accessing the secure information 514 aand/or secure service 516 a. For example, the adaptive-security device108 may increase authentication requirements of the authenticator 508 byrequiring multifactor authentication (MFA) 506 and/or or secondaryauthentication credentials 504. Secondary credentials 504 may include ananswer to a predefined security question, a password (e.g., in additionto the standard credentials 502, which may, for example, be a PIN numberfor an ATM device 108), or the like. Multi-factor authentication 506involves entry of a credential provided to the device (e.g., device 112of person 110 of FIG. 1 ) of the user.

After device operation instructions 144 are received, theadaptive-security device 108 may begin operating according to the“restricted operation” flow of FIG. 5 by stopping or preventing displayof at least a portion of the secure information 514 a and secureservices 516 a, such that only reduced information 512 b is displayedand reduced services 516 b are available. For the example of an ATMdevice 108, the reduced information 514 b may exclude account balances,account numbers, and the like, and reduced services 516 b may reduce theamount of cash available from the ATM device 108 or prevent withdrawalsof cash altogether.

If the user is currently accessing the secure information 514 a orotherwise already authenticated by the adaptive-security device 108, theadaptive-security device 108 may prevent access to at least a portion ofservices 510 provided by the adaptive-security device 108 (e.g., withoutnecessarily preventing the user from continuing to use theadaptive-security device 108). For the example of an ATM device 108, thesecure service 516 a of cash withdrawal may be prevented or limited,such that the security of this service 516 a is improved. As anotherexample, if the user is already accessing the secure information 514 awhen the device operation instructions 14 are received, theadaptive-security device 108 may prevent display of at least a portionof the secure information 514 a by obfuscating at least a portion of thesecure information 514 a, such that only reduced information 514 b isavailable for viewing. As an example, the adaptive-security device 108may present obfuscated information 526 on the display 524.

In some cases, the operation instructions 144 may provide an indicationof whether a high level of response is needed (e.g., if there is a highprobability of a security-comprising event 136, as described withrespect to FIG. 1 above). If this is the case, the adaptive-securitydevice 108 may stop operating to provide information and services 510altogether, such that no user can be authenticated to access secureinformation 514 a and/or secure services 516 a. This mitigates anychance for compromise of the secure information 514 a and/or secureservices 516 a during such an event 136.

FIG. 6 is a flowchart of an example method 600 for operating theadaptive-security device 108 of FIGS. 1 and 5 . The method 600 generallyfacilitates more secure operation of the adaptive-security device 108 toprovide information and services 510, particularly when asecurity-compromising event 136 is detected. Method 600 may begin atstep 602 where device operation instructions 144 are received by theadaptive-security device 108. As described above, the device operationinstructions 144 include instructions for operating theadaptive-security device 108 according to more stringent securityprotocols. In some embodiments, the adaptive-security device 108 mayperform at least a portion of the functions of the automated responsesubsystem 124. For instance, the adaptive-security device 108 mayperform at least the set of functions used to determine the deviceoperation instructions 144, as described with respect to FIGS. 1 and 2above. As such, the method 600 of FIG. 6 may incorporate one or moresteps from the method 200 of FIG. 2 described above.

At step 604, the adaptive-security device 108 determines whether a useris already authenticated and using the adaptive-security device 108. Ifa user is not already authenticated, the adaptive-security device 108may use steps 606-610 to adjust authentication requirements foraccessing the information and services 510 available through the device108. For example, at step 606, the adaptive-security device 108 maydetermine whether a high-level response is indicated by the deviceoperation instructions 144 (see step 230 of FIG. 2 ). If a high levelresponse is indicated, the adaptive-security device 108 proceeds to step608 and prevents use of the adaptive-security device 108 (e.g., at leastuntil the detected event 136 has ended). For example, theadaptive-security device 108 may no longer allow anyone to access anyinformation and/or services 510 through the device 108. The method 600may then end. Generally, this approach is only taken for high-levelsecurity-compromising events 136, because it prevents theadaptive-security device 108 from being used for a period of time.

If the high level response is not indicted at step 606, theadaptive-security device 108 may proceed instead to step 610. At step610, the adaptive-security device 108 adjusts operation of theauthenticator 508 to increase authentication requirements for accessingthe secure information 514 a and/or secure service 516 a. For example,the adaptive-security device 108 may increase authenticationrequirements of the authenticator 508 by requiring multifactorauthentication (MFA) 506 and/or or secondary authentication credentials504. Secondary credentials 504 may include an answer to a predefinedsecurity question, a password (e.g., in addition to the standardcredentials 502, which may, for example, be a PIN number for an ATMdevice 108), or the like. Multi-factor authentication 506 involves entryof a credential provided to the device (e.g., device 112 of person 110of FIG. 1 ) of the user.

At step 612, the adaptive-security device 108 may obfuscate at least aportion of the secured information 514 a, such that only reducedinformation 514 b is visible at the adaptive-security device 108. Forinstance, referring to the example of FIG. 5 , the display 524 maypresent obfuscated information 526 in place of, or overlayed over,secure information 514 a. For the example of an ATM device 108, theobfuscated information 526 may include an obfuscated account balance, anobfuscated account number, and the like, such that this secureinformation 514 a cannot be viewed.

At step 614, the adaptive-security device 108 prevents and/or modifiesaccess to the secure services 516 a, such that only reduced services 516b are provided. The reduced services 516 b may include a portion or noneof the services 510 available through the adaptive-security device 108.For the example of an ATM device 108, the reduced services 516 b mayinclude a deposit of funds, while the secured services 516 a of a cashwithdrawal and/or generation of an account balance report are prevented.

Example Sensor of the Event Detection and Response System

FIG. 7 is an example sensor 104 of the system 100 illustrated in FIG. 1. The example sensor 104 includes a processor 702, a transmitter 704, areceiver 706, and a communications interface 706. The sensor 104 may beconfigured as shown or in any other suitable configuration. The sensor104 may include more or fewer components depending on the type of thesensor 104. For example, a sensor 104 that is a camera may not include atransmitter 704. In some cases, a sensor 104 may include a memory (e.g.,memory 804 of FIG. 8 ) coupled to the processor 702.

The processor 702 comprises one or more processors. The processor 702 isany electronic circuitry including, but not limited to, state machines,one or more central processing unit (CPU) chips, logic units, cores(e.g. a multi-core processor), field-programmable gate array (FPGAs),application specific integrated circuits (ASICs), or digital signalprocessors (DSPs). The processor 702 may be a programmable logic device,a microcontroller, a microprocessor, or any suitable combination of thepreceding. The processor 702 is communicatively coupled to and in signalcommunication with the transmitter 704, receiver 706, and interface 708.The one or more processors are configured to process data and may beimplemented in hardware or software. For example, the processor 702 maybe 8-bit, 16-bit, 32-bit, 64-bit or of any other suitable architecture.The processor 702 may include an arithmetic logic unit (ALU) forperforming arithmetic and logic operations, processor registers thatsupply operands to the ALU and store the results of ALU operations, anda control unit that fetches instructions from a memory (e.g., memory 804of FIG. 8 ) and executes them by directing the coordinated operations ofthe ALU, registers and other components. The one or more processors areconfigured to implement various instructions (e.g., for processingtransmitted signals 710 and received signals 712 and providing sensordata 126 via the interface 708. In an embodiment, the function of thesensors 104 described herein is implemented using logic units, FPGAs,ASICs, DSPs, or any other suitable hardware or electronic circuitry.

The transmitter 704 is any component operable to generate a transmittedsignal 710. For example, the transmitter 704 may be a radio transmitter,a sound transmitter, an ultrasonic transmitter, a light source, a laser,or the like. The transmitted signal 710 may be a radio signal, a sound(e.g., at an audible or inaudible frequency), an ultrasonic signal, atransmitted light, or any other appropriate signal type for observingproperties of people 110, 114, 118 in the space 102. Properties of thetransmitted signal 710 (e.g., frequency, magnitude, wavelength, etc.) ofthe transmitted signal 710 may be predefined for the transmitter 704and/or may be indicated by the processor 702. In certain embodiments,the transmitter 704 is a radio transmitter and the transmitted signal710 is a radio signal.

The receiver 706 is any component operable to receive a received signal712. For example, the receiver 706 may be a radio receiver, a soundsensor, an ultrasonic sensor, a light sensor, a depth sensor, a camera(e.g., visible and/or infrared), or the like. The received signal 712may be a radio signal, a sound, an image (e.g., a visible image,infrared image, depth image, etc.), or the like. For example, thereceived signal 712 may be a signal resulting from the transmittedsignal 710 reflecting off of surface and/or people 110, 114, 118 in thespace 102. Such reflected radio signals may be used to detect motion, avital sign quantity, biometric characteristic, and other properties ofpeople 110, 114, 118 in the space 102. In some embodiments, the receivedsignal 712 is the image 322 described with respect to FIG. 3 above.

The communications interface 708 is configured to enable wired and/orwireless communications to the gateway 106 and/or the network 148 ofFIG. 1 . For example, the communications interface 708 may comprise aWIFI interface, a local area network (LAN) interface, a wide areanetwork (WAN) interface, a modem, a switch, or a router. The processor702 may send and receive data using the communications interface 708.The communications interface 708 may be configured to use any suitabletype of communication protocol as would be appreciated by one ofordinary skill in the art.

Example Device for Implementing Components of the Event Detection andResponse System

FIG. 8 is an embodiment of a device 800 configured to implement variouscomponents of the system 100. The device 800 includes a processor 802, amemory 804, a network interface 806, and a display 808. The device 800may be configured as shown or in any other suitable configuration. Thedevice 800 may be and/or may be used to implement the user devices 112,116, 120, the gateway device 106, and a device at the security entity146 of FIG. 1 as well as the networking device 306 of FIG. 3 .

The processor 802 comprises one or more processors operably coupled tothe memory 804. The processor 802 is any electronic circuitry including,but not limited to, state machines, one or more central processing unit(CPU) chips, logic units, cores (e.g. a multi-core processor),field-programmable gate array (FPGAs), application specific integratedcircuits (ASICs), or digital signal processors (DSPs). The processor 802may be a programmable logic device, a microcontroller, a microprocessor,or any suitable combination of the preceding. The processor 802 iscommunicatively coupled to and in signal communication with the memory804, the network interface 806, and the display 810. The one or moreprocessors are configured to process data and may be implemented inhardware or software. For example, the processor 802 may be 8-bit,16-bit, 32-bit, 64-bit or of any other suitable architecture. Theprocessor 802 may include an arithmetic logic unit (ALU) for performingarithmetic and logic operations, processor registers that supplyoperands to the ALU and store the results of ALU operations, and acontrol unit that fetches instructions from memory 804 and executes themby directing the coordinated operations of the ALU, registers and othercomponents. The one or more processors are configured to implementvarious instructions. For example, the one or more processors areconfigured to execute instructions to implement the function disclosedherein. In an embodiment, the function described herein is implementedusing logic units, FPGAs, ASICs, DSPs, or any other suitable hardware orelectronic circuitry.

The memory 804 is operable to store any data, instructions, logic,rules, or code operable to execute the functions of the user devices112, 116, 120, the gateway device 106, a device at the security entity146, and the networking device 306 described in this disclosure. Thememory 804 comprises one or more disks, tape drives, or solid-statedrives, and may be used as an over-flow data storage device, to storeprograms when such programs are selected for execution, and to storeinstructions and data that are read during program execution. The memory804 may be volatile or non-volatile and may comprise read-only memory(ROM), random-access memory (RAM), ternary content-addressable memory(TCAM), dynamic random-access memory (DRAM), and static random-accessmemory (SRAM).

The network interface 806 is configured to enable wired and/or wirelesscommunications. The network interface 806 is configured to communicatedata between the device 800 and other network devices, systems, ordomain(s). For example, the network interface 806 may comprise a WIFIinterface, a local area network (LAN) interface, a wide area network(WAN) interface, a modem, a switch, or a router. The processor 802 isconfigured to send and receive data using the network interface 806. Thenetwork interface 806 may be configured to use any suitable type ofcommunication protocol as would be appreciated by one of ordinary skillin the art.

The display 808 is generally any appropriate graphical display such as amonitor, touchscreen, or the like. The display 808 may be operable todisplay an alert 140.

While several embodiments have been provided in this disclosure, itshould be understood that the disclosed systems and methods might beembodied in many other specific forms without departing from the spiritor scope of this disclosure. The present examples are to be consideredas illustrative and not restrictive, and the intention is not to belimited to the details given herein. For example, the various elementsor components may be combined or integrated in another system or certainfeatures may be omitted, or not implemented.

In addition, techniques, systems, subsystems, and methods described andillustrated in the various embodiments as discrete or separate may becombined or integrated with other systems, modules, techniques, ormethods without departing from the scope of this disclosure. Other itemsshown or discussed as coupled or directly coupled or communicating witheach other may be indirectly coupled or communicating through someinterface, device, or intermediate component whether electrically,mechanically, or otherwise. Other examples of changes, substitutions,and alterations are ascertainable by one skilled in the art and could bemade without departing from the spirit and scope disclosed herein.

To aid the Patent Office, and any readers of any patent issued on thisapplication in interpreting the claims appended hereto, applicants notethat they do not intend any of the appended claims to invoke 35 U.S.C. §112(f) as it exists on the date of filing hereof unless the words “meansfor” or “step for” are explicitly used in the particular claim.

What is claimed is:
 1. A system comprising: a plurality of sensorsdistributed about a space, wherein each sensor of the plurality ofsensors is operable to generate sensor data associated with propertiesof one or more people in the space; an automated response subsystemcomprising at least one processor configured to: receive the sensordata; determine one or more event scores based on feature values of thereceived sensor data, wherein each event score corresponds to aprobability that an event type has occurred; detect an unauthorizedactivity performed by a first person in the space based on the one ormore event scores; and in response to detecting the unauthorizedactivity, transmit tracking instructions identifying the first personassociated with the unauthorized activity, event properties associatedwith the unauthorized activity, and a threshold probability that thefirst person has engaged in the unauthorized activity; and a trackingdevice comprising a processor configured to: receive the trackinginstructions; detect a device associated with the first person; over aperiod of time, send queries to the device and receive correspondingresponses from the device, wherein the queries are sent via a wirelessnetwork and the corresponding responses are automatically generated bythe device in response to the queries; determine, based on the sentqueries and the received responses from the device, positions of thedevice within the space over the period of time; generate a reportcomprising the determined positions of the device; and provide thereport to a security entity when the threshold probability is met. 2.The system of claim 1, wherein the processor of the tracking device isfurther configured to: detect the device associated with the firstperson by detecting a network-access request to access a local networkfrom the device; determine, based on the network-access request, an IPaddress of the device; and include the IP address in the report providedto the security entity.
 3. The system of claim 1, wherein the processorof the tracking device is further configured to: detect the deviceassociated with the first person by detecting a communication signaloutput from the device; determine, based on the communication signal,device identifier for the device; and include the device identifier inthe report provided to the security entity.
 4. The system of claim 1,wherein the communication signal comprises one or both of an NFCcommunication and a Bluetooth communication.
 5. The system of claim 1,wherein the processor of the tracking device is further configured to:receive an image of at least a portion of the space; determine a portionof the image associated with the determined positions of the device; andinclude at least the portion of the image in the report provided to thesecurity entity.
 6. The system of claim 1, wherein the processor of thetracking device is further configured to provide the report to one ormore remote tracking devices, wherein each of the one or more remotetracking devices is configured to use the report to detect a presence ofthe device in a corresponding remote location.
 7. The system of claim 1,wherein the at least one processor of the automated response subsystemis further configured to detect the unauthorized activity based on oneor more of a movement speed, presented height, and a biometriccharacteristic of the first person.
 8. The system of claim 1, whereinthe at least one processor of the automated response subsystem isfurther configured to detect the unauthorized activity based on one ormore of a movement speed, presented height, and a biometriccharacteristic of another person who is interacting with the firstperson.
 9. A method comprising: receiving sensor data generated by aplurality of sensors distributed about a space, wherein each sensor ofthe plurality of sensors is operable to generate the sensor dataassociated with properties of one or more people in the space;determining one or more event scores based on feature values of thereceived sensor data, wherein each event score corresponds to aprobability an even type has occurred; detecting an unauthorizedactivity performed by a first person in the space based on the one ormore event scores; and in response to detecting the unauthorizedactivity, generating tracking instructions identifying the first personassociated with the unauthorized activity, event properties associatedwith the unauthorized activity, and a threshold probability that thefirst person has engaged in the unauthorized activity; detecting adevice associated with the first person; over a period of time, sendingqueries to the device and receive corresponding responses from thedevice, wherein the queries are sent via a wireless network and thecorresponding responses are automatically generated by the device inresponse to the queries; determining, based on the sent queries and thereceived responses from the device, positions of the device within thespace over the period of time; generating a report comprising thedetermined positions of the device; and providing the report to asecurity entity when the threshold probability is met.
 10. The method ofclaim 9, further comprising: detecting the device associated with thefirst person by detecting a network-access request to access a localnetwork from the device; determining, based on the network-accessrequest, an IP address of the device; and including the IP address inthe report provided to the security entity.
 11. The method of claim 9,further comprising: detecting the device associated with the firstperson by detecting a communication signal output from the device;determining, based on the communication signal, device identifier forthe device; and including the device identifier in the report providedto the security entity.
 12. The method of claim 9, wherein thecommunication signal comprises one or both of an NFC communication and aBluetooth communication.
 13. The method of claim 9, further comprising:receiving an image of at least a portion of the space; determining aportion of the image associated with the determined positions of thedevice; and including at least the portion of the image in the reportprovided to the security entity.
 14. The method of claim 9, furthercomprising providing the report to one or more remote tracking devices,wherein each of the one or more remote tracking devices is configured touse the report to detect a presence of the device in a correspondingremote location.
 15. A tracking device, comprising: a memory operable tostore tracking instructions generated by an automated responsesubsystem, wherein the tracking instructions identify a first person ina space that is detected to have performed an unauthorized activity,event properties associated with the unauthorized activity, and athreshold probability that the first person has engaged in theunauthorized activity; and a processor communicatively coupled to thememory and configured to: detect a device associated with the firstperson; over a period of time, send queries to the device and receivecorresponding responses from the device, wherein the queries are sentvia a wireless network and the corresponding responses are automaticallygenerated by the device in response to the queries; determine, based onthe sent queries and the received responses from the device, positionsof the device within the space over the period of time; generate areport comprising the determined positions of the device; and providethe report to a security entity when the threshold probability is met.16. The tracking device of claim 15, wherein the processor is furtherconfigured to: detect the device associated with the first person bydetecting a network-access request to access a local network from thedevice; determine, based on the network-access request, an IP address ofthe device; and include the IP address in the report provided to thesecurity entity.
 17. The tracking device of claim 15, wherein theprocessor is further configured to: detect the device associated withthe first person by detecting a communication signal output from thedevice; determine, based on the communication signal, device identifierfor the device; and include the device identifier in the report providedto the security entity.
 18. The tracking device of claim 15, wherein thecommunication signal comprises one or both of an NFC communication and aBluetooth communication.
 19. The tracking device of claim 15, whereinthe processor is further configured to: receive an image of at least aportion of the space; determine a portion of the image associated withthe determined positions of the device; and include at least the portionof the image in the report provided to the security entity.
 20. Thetracking device of claim 15, wherein the processor is further configuredto provide the report to one or more remote tracking devices, whereineach of the one or more remote tracking devices is configured to use thereport to detect a presence of the device in a corresponding remotelocation.